SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Routing IRB on SRX

    Posted 11-28-2018 04:33

    I have two VLANs, and two IRB interfaces to route those to VLANs. Both two VLANs is associated with ge-0/0/2 interface and ge-0/0/3. 

    Each of these two interfaces goes to it's own CIsco switch that accepts the tagged traffic. 

    It works perfectly fine if I just choose to use "vlan-tagging" and then set the two VLANs to be routed on the SRX. the problem then is that I still need both of those VLANs on the two separate ports. 

     

    What am I missing here?

     

    Relevant config:

     

    ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members [ vlan2 vlan20 ];
                    }
                }
            }
        }
    
    
    ge-0/0/3 { 
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members [ vlan2 vlan20 ];
                    }
                }
            }
        }
    
    show configuration vlans
    vlan2 {
        vlan-id 2;
        l3-interface irb.2;
    }
    vlan20 {
        vlan-id 20;
        l3-interface irb.20;
    }
    
     show configuration interfaces irb
    }
    unit 2 {
        family inet {
            address 10.46.2.1/24;
        }
    }
    unit 20 {
        family inet {
            address 10.46.20.1/24;
        }
    }
    
    
    show configuration security zones security-zone VLAN2
    description VLAN2;
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        irb.2;
    }
    
    show configuration security zones security-zone VLAN20
    description VLAN20;
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        irb.20;
    }
    


  • 2.  RE: Routing IRB on SRX
    Best Answer

    Posted 11-28-2018 05:49

    Please provide SRX platform and Junos version. I suspect you are running a SRX300 series device where irb's doesn't function properly until Junos 15.1X49-D60.

     

    to help further analysis please provide output from these commands with ge-0/0/2 and ge-0/0/3 connected as intended.

     

    show ethernet-switching interface

    show ethernet-switching global-information

    show ethernet-switching table vlan-id 2

    show ethernet-switching table vlan-id 10

    show interface irb.2

    show interface irb.20

     



  • 3.  RE: Routing IRB on SRX

    Posted 11-28-2018 09:38

    Hi, 

    Thanks for a quick response. 

     

     

    I upgraded firmware and low and behold it works.

    Thank you very much for the quick answer. Much appreciated. 

     

     

    My current working configuration.

     

     

     

     

     

     

    show version
    Model: srx300
    Junos: 15.1X49-D120.3
    JUNOS Software Release [15.1X49-D120.3]
    
    
    ge-0/0/2 {
        description SW1.P8;
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ VLAN2 VLAN20 ];
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members [ VLAN2 VLAN20 ];
                }
            }
        }
    }
    
    
    show configuration interfaces irb
    unit 2 {
        family inet {
            address 10.46.2.1/24;
        }
    }
    unit 20 {
        family inet {
            address 10.46.20.1/24;
        }
    }
    show ethernet-switching interface
    Routing Instance Name : default-switch
    Logical Interface flags (DL - disable learning, AD - packet action drop,
                             LH - MAC limit hit, DN - interface down,
                             MMAS - Mac-move action shutdown,
                             SCTL - shutdown by Storm-control )
    
    Logical         Vlan                   TAG   MAC    STP         Logical          Tagging
    interface       members                      limit  state       interface flags
    ge-0/0/1.0                                   16383                               untagged
                    VLAN3             3     16383  Forwarding                   untagged
    ge-0/0/3.0                                   16383                               tagged
                    VLAN20          2     16383  Forwarding                   tagged
                    VLAN20          20    16383  Forwarding                   tagged
    ge-0/0/2.0                                   16383                               tagged
                    VLAN20          2     16383  Forwarding                   tagged
                    VLAN20          20    16383  Forwarding                   tagged
    
    show ethernet-switching global-information
    Global Configuration:
    
    MAC aging interval    : 300
    MAC learning          : Enabled
    MAC statistics        : Disabled
    MAC limit Count       : 16383
    MAC limit hit         : Disabled
    MAC packet action drop: Disabled
    LE  aging time        : 1200
    LE  VLAN aging time   : 1200
    Global Mode           : Switching
    
    show ethernet-switching table vlan-id 2
    
    MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
               SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)
    
    
    Ethernet switching table : 2 entries, 2 learned
    Routing instance : default-switch
        Vlan                MAC                 MAC         Age    Logical                NH        RTR
        name                address             flags              interface              Index     ID
        VLAN2       CISCOSWITCH   D             -   ge-0/0/2.0             0         0
        VLAN2       CISCOSWITCH   D             -   ge-0/0/3.0             0         0
    
    show ethernet-switching table vlan-id 20
    
    MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
               SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)
    
    
    Ethernet switching table : 1 entries, 1 learned
    Routing instance : default-switch
        Vlan                MAC                 MAC         Age    Logical                NH        RTR
        name                address             flags              interface              Index     ID
        VLAN20       CISCOSWITCH   D             -   ge-0/0/2.0             0         0
    
    show configuration interfaces irb.2
    family inet {
        address 10.46.2.1/24;
    }
    show configuration interfaces irb.20
    family inet {
        address 10.46.20.1/24;
    }
    

     



  • 4.  RE: Routing IRB on SRX

    Posted 11-28-2018 11:11

    After some troubleshooting i can't seem to get neither DHCP to function on VLAN2 or vlan20.

    In this case have set the irbs to be part of the DHCP group yet they don't hand out IPs to the clients that ask.

     

    Thankfull for anyone that might know what I can do to get further in this. 

    If i set a static adress on VLAN2 it works but not VLAN20. 



  • 5.  RE: Routing IRB on SRX

    Posted 11-28-2018 16:27

    Not sure if this is also needed on SRX but on the MX series when using irb interfaces with DHCP relay you have to enable the broadcast option in the bridge domain.

     

    https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/policy-configuring-routers-or-interfaces-as-dhcp-and-bootp-relay-agents.html

     

    Best Practice

    To use bootp helper on a MX Series router (MX80, MX240, MX480 and MX960) connected via IRB, you may need to take steps to ensure that DHCP discover packets (the bootp reply) are sent to clients and received as expected. Otherwise, bootp replies may be dropped because the DHCP client is clearing the broadcast bit in the discover packet, or because the DHCP server is stripping option-82 flags from the offer.

    This happens when the IRB interface is a layer 3 (logical) interface associated with a bridge domain that has multiple layer 2 (physical) interfaces associated with it. In such cases, if the offer from the DHCP server is unicast and doesn’t include an ingress interface identifying the physical interface on which the discovery packet was received, the MX router won’t be able to determine an interface for sending out offers.

     



  • 6.  RE: Routing IRB on SRX

    Posted 11-29-2018 01:39

    Please share your dhcp-related config as there can be many reasons why it isn't working.

     

    Steves comment regarding broadcast option is not relevant on the SRX300 series.